[WEB SECURITY] XSS cheat sheet for developers

Jon Passki jon at passki.us
Wed Feb 27 11:41:35 EST 2013


Constructive criticism is always appreciated.

* CSL is released under a BSD license and is open source. Feel free to incorporate whatever makes sense for ESAPI.
* CSL solved an immediate need for Coverity that wasn't solved by existing projects.

I dunno why the Internet rage machine is pointed at CSL today. I think the community is better served if we can move the discussion back to constructive criticisms, quantified results, and actionable feedback instead of snide comments. Alas, it's a free world so carry on as you see fit.

Regards,

Jon

p.s. Happy to move this discussion into meat space too. I think a lot of us are in SF for RSA. Happy to keep it to email too.

On Feb 27, 2013, at 8:13 AM, Eric Sheridan <eric.sheridan at owasp.org> wrote:

> At least you admit you're promoting something of your own (i.e. CSL) by
> keeping it separate instead of helping OWASP T10 promote their agenda
> (ex: ESAPI).
> 
> Nice research.
> 
> Sincerely,
> Eric Sheridan
> (twitter) @eric_sheridan
> (blog) http://ericsheridan.blogspot.com
> 
> On 2/27/13 10:45 AM, romain wrote:
>> Argh, sorry about the blog and IE10. Not the first time I hear that...
>> 
>> Concerning the CSS string escaper we did some testing, but not on super
>> old browsers actually. However, we looked at the how CSS parsers are
>> recovering from errors, and what characters need to be escaped. That's
>> mostly why our CSS string escaper will escape new lines chars and more.
>> Still, we have some more work to do; CSS parsers are a real pain.
>> 
>> Contributing to OWASP XSS prevention cheat sheet is something we talked
>> about. However, the OWASP document is first of all promoting ESAPI when
>> we are sorta promoting our lib. We are also talking about HTML contexts
>> at a more fine grain level and it's difficult to put this in OWASP
>> framework.
>> The OWASP cheat sheet format doesn't also play well with what we wanted
>> to do. They are driven by few rules for preventing XSS, we're more about
>> code example.
>> 
>> Romain
>> - @rgaucher
>> 
>> 
>> On Wed, Feb 27, 2013 at 12:31 AM, Erlend Oftedal <erlend at oftedal.no
>> <mailto:erlend at oftedal.no>> wrote:
>> 
>>    Hard to tell really as your website blocks IE10 thinking it's IE6
>>    (not optimizing for old browsers is ok, but blocking is an
>>    antipattern - especially when it's wrong).
>> 
>>    Joke aside, the document itself seems decent. It's easy to get an
>>    overview over the context. Did you test your CSS escaping in older
>>    browsers? I seem to remember there were some problems, and that
>>    escaping itself was not enough.
>> 
>>    Also, why build your own cheat sheet instead of contributing to the
>>    established free and open OWASP XSS Prevention Cheat Sheet?
>> 
>>    Best regards,
>>    Erlend Oftedal
>> 
>> 
>>    On Wed, Feb 27, 2013 at 3:28 AM, romain <r at fuckthespam.com
>>    <mailto:r at fuckthespam.com>> wrote:
>> 
>>        Everybody,
>>        We release an XSS cheat sheet for developers today. The document
>>        talks about several contexts (13 combinations right now, but
>>        we'll be improving it).
>>        Some more info are available on Coverity blog:
>>          https://communities.coverity.com/blogs/security/2013/02/26/fixing-xss-a-practical-guide-for-developers
>> 
>>        Our goal is to keep improving this cheat sheet while adding
>>        escapers and sanitizers to our library:
>>          https://github.com/coverity/coverity-security-library
>> 
>>        Cheers,
>>        Romain
>> 
>> 
>>        _______________________________________________
>>        The Web Security Mailing List
>> 
>>        WebSecurity RSS Feed
>>        http://www.webappsec.org/rss/websecurity.rss
>> 
>>        Join WASC on LinkedIn
>>        http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>> 
>>        WASC on Twitter
>>        http://twitter.com/wascupdates
>> 
>>        websecurity at lists.webappsec.org
>>        <mailto:websecurity at lists.webappsec.org>
>>        http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
>> 
>> 
>> 
>> 
>> 
>> _______________________________________________
>> The Web Security Mailing List
>> 
>> WebSecurity RSS Feed
>> http://www.webappsec.org/rss/websecurity.rss
>> 
>> Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>> 
>> WASC on Twitter
>> http://twitter.com/wascupdates
>> 
>> websecurity at lists.webappsec.org
>> http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
> 
> _______________________________________________
> The Web Security Mailing List
> 
> WebSecurity RSS Feed
> http://www.webappsec.org/rss/websecurity.rss
> 
> Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
> 
> WASC on Twitter
> http://twitter.com/wascupdates
> 
> websecurity at lists.webappsec.org
> http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org




More information about the websecurity mailing list